Apple has released new versions of iOS and OS X, both of which include a significant number of security patches,

several for bugs that can lead to remote code execution and other serious issues.

Version 8.4 of iOS contains fixes for more than 30 security vulnerabilities, including bugs in the iOS kernel, WebKit,

and CoreText. Apple also patched the vulnerability that leads to the Logjam attack, an issue with servers that support

weak Diffie-Hellman cryptography. To fix that issue in iOS, Apple released a patch for the coreTLS component of the

operating system.

“coreTLS accepted short ephemeral Diffie-Hellman (DH) keys, as used in export-strength ephemeral DH cipher suites. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade

security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits,”

the Apple advisory says.

Apple also patched an interesting bug that involved the way that iOS handles payloads from SIM cards. The

vulnerability could allow an attacker to craft a malicious SIM card that could give him code execution on a target

device.

Among the other vulnerabilities addressed in iOS 8.4 are a number of WebKit bugs, some of which could lead to

arbitrary code execution. The code execution flaws include a pair of memory corruption vulnerabilities in WebKit, and

an issue with the way the framework handled some SQL functions.

“An insufficient comparison issue existed in SQLite authorizer which allowed invocation of arbitrary SQL functions. This issue was addressed with improved authorization checks,” the Apple advisory says.

There is a patch in the new version of iOS for a bug that could lead to an attacker being able to replace a legitimate

app with a malicious one under some conditions. The vulnerability is in the way the OS handles universal

provisioning profiles, and could be used to replace system apps such as Apple Pay. Researchers at FireEye

discovered the vulnerability and reported it to Apple almost a year ago.

“Manifest Masque Attack leverages the CVE-2015-3722/3725 vulnerability to demolish an existing app on iOS when

a victim installs an in-house iOS app wirelessly using enterprise provisioning from a website. The demolished app

(the attack target) can be either a regular app downloaded from official App Store or even an important system app,

such as Apple Watch, Apple Pay, App Store, Safari, Settings, etc. This vulnerability affects all iOS 7.x and iOS 8.x

versions prior to iOS 8.4. We first notified Apple of this vulnerability in August 2014,”

FireEye’s researchers wrote in an explanation of the bug and its consequences.

As for OS X, Apple patched many of the same bugs that were present in iOS, along with dozens of others, for a total

of more than 75 flaws in all. OS X 10.10.4 includes patches for several buffer overflow vulnerabilities in the Intel

graphics driver, some of which could lead to code execution. Apple also fixed a number of memory corruption bugs

in QuickTime that could be used for code execution.

In both iOS and OS X Apple updated the certificate trust policy to address the CNNIC certificate issue, among other

problems.

Image from Flickr photos of GDS-Productions.